cleanup the environment before submitting jobs (#3628)

* sanitize the job environment * sanitize bc jobs * climate_control not only dev/test gem now * should not have added pry
OSC · Jun 24, 2024 · b4e6998 · b4e6998
1 parent 27ce963
commit b4e6998
Show file tree

Hide file tree

Showing 5 changed files with 82 additions and 4 deletions.
diff --git a/apps/dashboard/Gemfile b/apps/dashboard/Gemfile
@@ -21,7 +21,6 @@ gem 'sdoc', group: :doc, require: false
 group :development, :test do
   # Call 'byebug' anywhere in the code to stop execution and get a debugger console
   gem 'byebug'
-  gem 'climate_control', '~> 0.2'
   gem 'timecop', '~> 0.9'
 end
 
@@ -50,6 +49,7 @@ gem 'dotiw'
 gem 'local_time', '~> 1.0.3'
 gem 'zip_kit', '~> 6.2'
 gem 'rss', '~> 0.2'
+gem 'climate_control', '~> 0.2'
 
 gem 'jsbundling-rails', '~> 1.0'
 gem 'cssbundling-rails', '~> 1.1'

diff --git a/apps/dashboard/app/models/batch_connect/session.rb b/apps/dashboard/app/models/batch_connect/session.rb
@@ -4,6 +4,7 @@ module BatchConnect
   class Session
     include ActiveModel::Model
     include ActiveModel::Serializers::JSON
+    include SanitizedEnv
 
     # This class describes the object that is bound to the ERB template file
     # when it is rendered
@@ -309,7 +310,9 @@ def submit(opts = {})
       job_script_options_file.write(JSON.pretty_generate(options))
 
       # Submit job script
-      self.job_id = adapter.submit script(content: content, options: options)
+      ClimateControl.modify(sanitized_env) do
+        self.job_id = adapter.submit script(content: content, options: options)
+      end
       db_file.write(to_json, perm: 0o0600)
       true
     rescue => e   # rescue from all standard exceptions (app never crashes)

diff --git a/apps/dashboard/app/models/concerns/sanitized_env.rb b/apps/dashboard/app/models/concerns/sanitized_env.rb
@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+# Sanitize an environment by returning a new Hash that can
+# be used with ClimateControl to submit jobs with that new
+# environment.
+module SanitizedEnv
+  PREFIXES = [
+    'SECRET', 'PASSENGER', 'BUNDLE',
+    'RACK', 'HTTP', 'NODE', 'RAILS', 'RUBY',
+    'GEM', 'NGINX'
+  ].freeze
+
+  def sanitized_env
+    # these are all one offs that we should clear so they don't conflict
+    # with the job.
+    {
+      'LD_LIBRARY_PATH'  => nil,
+      'MANPATH'          => nil,
+      'PYTHONUNBUFFERED' => nil,
+      'X_SCLS'           => nil,
+      'WSGI_ENV'         => nil,
+      'ALLOWED_HOSTS'    => nil,
+      'IN_PASSENGER'     => nil,
+      'SERVER_SOFTWARE'  => nil,
+      'PKG_CONFIG_PATH'  => nil
+    }.merge(sanitize_env(Regexp.new(PREFIXES.join('|'))))
+  end
+
+  def sanitize_env(prefix)
+    ENV.select do |key, _value|
+      key.start_with?(prefix)
+    end.map do |key, _value|
+      [key, nil]
+    end.to_h
+  end
+end
diff --git a/apps/myjobs/app/models/concerns/sanitized_env.rb b/apps/myjobs/app/models/concerns/sanitized_env.rb
@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+# Sanitize an environment by returning a new Hash that can
+# be used with ClimateControl to submit jobs with that new
+# environment.
+module SanitizedEnv
+  PREFIXES = [
+    'SECRET', 'PASSENGER', 'BUNDLE',
+    'RACK', 'HTTP', 'NODE', 'RAILS', 'RUBY',
+    'GEM', 'NGINX'
+  ].freeze
+
+  def sanitized_env
+    # these are all one offs that we should clear so they don't conflict
+    # with the job.
+    {
+      'LD_LIBRARY_PATH'  => nil,
+      'MANPATH'          => nil,
+      'PYTHONUNBUFFERED' => nil,
+      'X_SCLS'           => nil,
+      'WSGI_ENV'         => nil,
+      'ALLOWED_HOSTS'    => nil,
+      'IN_PASSENGER'     => nil,
+      'SERVER_SOFTWARE'  => nil,
+      'PKG_CONFIG_PATH'  => nil
+    }.merge(sanitize_env(Regexp.new(PREFIXES.join('|'))))
+  end
+
+  def sanitize_env(prefix)
+    ENV.select do |key, _value|
+      key.start_with?(prefix)
+    end.map do |key, _value|
+      [key, nil]
+    end.to_h
+  end
+end
diff --git a/apps/myjobs/app/models/resource_mgr_adapter.rb b/apps/myjobs/app/models/resource_mgr_adapter.rb
@@ -4,6 +4,8 @@
 # OodJob errors will be caught and re-raised as PBS::Error objects
 class ResourceMgrAdapter
 
+  include SanitizedEnv
+
   attr_reader :workflow
 
   def initialize(workflow)
@@ -34,8 +36,9 @@ def qsub(script_path, host: nil, depends_on: {}, account_string: nil)
       job_array_request: workflow.job_array_request.presence,
       copy_environment: workflow.copy_environment.eql?("1") ? true : false
     )
-    adapter(cluster).submit( script, **depends_on)
-
+    ClimateControl.modify(sanitized_env) do
+      adapter(cluster).submit(script, **depends_on)
+    end
   rescue OodCore::JobAdapterError => e
     raise PBS::Error, e.message
   end